As discussed on the mailing list [1], we need to ensure filesystem permission always grant access so that when doing our own access checks we don't run into situations were we grant access but the filesystem doesn't.
Mailing list consensus was to achieve this by setting "directory mask = 0777", "create mask = 0666", map archive|hidden|system|readonly to no.
I think I'll also add a recommendation to use "store dos attributes" to the vfs_acl_xattr|tdb manpages without forcing at runtime, because who knows what type of setups it may break.
[1] <https://lists.samba.org/archive/samba-technical/2016-August/115779.html>